I'm running 3.9-stable on an i386 system. I have a few daemons running,
# cat /etc/rc.conf.local
sshd_flags=NO # disabled during install
ntpd_flags= # enabled during install
apmd_flags="-C" # cool-running hw.setperf adjustment
lpd_flags="-s" # secure mode (doesn't listen on TCP, only local
socket)
portmap=YES # for rpc.statd
nfs_server=YES # for cfs
pf=YES # Packet filter / NAT
#
I've just hooked up ADSL, with OpenBSD talking to an "Eumex 300 IP"
DSL modem/router box on bge0. The system is hopefully protected from
incoming nastygrams by pf, with the following ruleset:
# pfctl -s rules
scrub in all fragment reassemble
block drop log all
pass quick on lo0 all
block drop in log quick on ! bge0 from (bge0:network) to any
block drop in log quick from (bge0) to any
pass out on bge0 inet from 127.0.0.1 to any keep state
pass out on bge0 inet from (bge0) to any keep state
#
This is supposed to implement the policy "allow arbitrary ipv4 connections
initiated by us, block everything else" (I'll give the full pf.conf below).
Now the mystery: On past experience (eg from using a dialup connection),
when I looked at the blocked-packet log with
# tcpdump -e -ttt -i pflog0
I was expecting to see a steady stream of blocked nastygram packets,
mostly assorted microsoft scans (eg port 445).
Instead, what I see is no nastygram packets, but a steady stream of
blocked outbound ntp packets, eg here's a random cut-n-paste from a
few minutes ago, of the output of the above tcpdump command:
Aug 06 23:35:57.028213 rule 0/(match) block out on bge0: 192.168.105.12.48656
> mircx.com.ntp: v4 client strat 0 poll 0 prec 0 [tos 0x10]
Aug 06 23:36:05.038206 rule 0/(match) block out on bge0: 192.168.105.12.23060
> blade.avnf.com.ntp: v4 client strat 0 poll 0 prec 0 [tos 0x10]
Aug 06 23:36:22.118203 rule 0/(match) block out on bge0: 192.168.105.12.6746
> c-24-91-98-32.hsd1.ma.comcast.net.ntp: v4 client strat 0 poll 0 prec 0 [tos
0x10]
Aug 06 23:36:47.528206 rule 0/(match) block out on bge0: 192.168.105.12.4184
> prov1.voip.mia1.net.ststelecom.com.ntp: v4 client strat 0 poll 0 prec 0 [tos
0x10]
Aug 06 23:36:57.578211 rule 0/(match) block out on bge0: 192.168.105.12.48656
> mircx.com.ntp: v4 client strat 0 poll 0 prec 0 [tos 0x10]
Aug 06 23:37:05.948229 rule 0/(match) block out on bge0: 192.168.105.12.23060
> blade.avnf.com.ntp: v4 client strat 0 poll 0 prec 0 [tos 0x10]
Aug 06 23:37:22.988217 rule 0/(match) block out on bge0: 192.168.105.12.6746
> c-24-91-98-32.hsd1.ma.comcast.net.ntp: v4 client strat 0 poll 0 prec 0 [tos
0x10]
Aug 06 23:37:47.778204 rule 0/(match) block out on bge0: 192.168.105.12.4184
> prov1.voip.mia1.net.ststelecom.com.ntp: v4 client strat 0 poll 0 prec 0 [tos
0x10]
Aug 06 23:37:57.028203 rule 0/(match) block out on bge0: 192.168.105.12.48656
> mircx.com.ntp: v4 client strat 0 poll 0 prec 0 [tos 0x10]
My /etc/ntpd.conf is *not* changed from the default, i.e. its only
non-blank non-comment line reads
# egrep -v '^#' /etc/ntpd.conf | egrep -v '^$'
servers pool.ntp.org
So... I have 2 basic questions:
1. Why are the ntp packets being blocked? I expected my last pf rule
to pass them?
2. Seeing no nastygram packets in the last 1/2 hour makes me more than
a little suspicious. It just seems a bit too good to be true! I'm
sure there are plenty of ms-windows worms out there probing away,
and I would also find it a surprising were my ISP (t-online.de) to
be filtering my incoming connection that tightly. Is there something
wrong with my pf ruleset (that's causing it to not catch incoming
nastygram packets like I want, or more generally, that's causing it
to not implement the security policy I described above)?
Here's my /etc/pf.conf:
# carbon pf.conf (non-pingable) *** with logging ***
# logging configuration
LOG_BLOCKED = "log"
LOG_PASSED = ""
# other macros
if_private = "bge0"
addr_us = "(" $if_private ")" # our addr (dynamically updated)
################################################################################
# scrub all packets
scrub in all
################################################################################
# default = block all traffic
block $LOG_BLOCKED all
# allow everything on our loopback interface (overrides antispoof rule below)
pass quick $LOG_PASSED on lo0 all
# block spoofed traffic
antispoof $LOG_BLOCKED quick for $addr_us
### allow anyone to ping us
##pass in $LOG_PASSED on $if_private inet \
## proto icmp icmp-type echoreq \
## keep state
# allow arbitrary ipv4 connections initiated by us
pass out $LOG_PASSED on $if_private inet \
from {localhost, $addr_us} \
keep state
(I realise that leaving logging on like this risks a DOS if there are
a lot of blocked packets. Normally I leave logging off, for just this
reason.)
thanks for any insights, ciao,
--
-- Jonathan Thornburg <[EMAIL PROTECTED]>
Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut),
Golm, Germany, "Old Europe" http://www.aei.mpg.de/~jthorn/home.html
"Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral."
-- quote by Freire / poster by Oxfam
